stacklok / toolhive / 21494693263

push

github

Add core OAuth authorization server interface and implementation (#3513)

This commit introduces a centralized OAuth 2.0 Authorization Server for
ToolHive, enabling MCP clients to authenticate via external Identity
Providers (like Google, Okta) and receive JWTs for accessing MCP servers.

Why this change:
- MCP clients need a way to authenticate users and obtain tokens
- ToolHive needs to issue its own JWTs rather than passing through IDP tokens
- Centralizing auth allows consistent token format across all MCP servers

Core changes:

Server interface (server.go):
- Handler() returns HTTP handler for all OAuth/OIDC endpoints
- IDPTokenStorage() provides access to upstream IDP tokens for middleware
- Close() releases resources

Implementation (server_impl.go):
- Integrates with fosite OAuth 2.0 framework
- Authorization code grant with PKCE (RFC 7636)
- JWT access tokens with asymmetric signing (JWKS endpoint)
- HMAC-signed authorization codes and refresh tokens
- Upstream IDP delegation for user authentication

Endpoints served:
- /.well-known/openid-configuration (OIDC Discovery)
- /.well-known/oauth-authorization-server (RFC 8414)
- /.well-known/jwks.json (JSON Web Key Set)
- /oauth/authorize (Authorization endpoint)
- /oauth/token (Token endpoint)
- /oauth/callback (Upstream IDP callback)
- /oauth/register (Dynamic Client Registration, RFC 7591)

Drive-by fixes discovered during integration:
- Add ScopesSupported to OAuth metadata (RFC 8414 compliance)
- Remove duplicate ScopesSupported field from OIDCDiscoveryDocument
  that shadowed the embedded AuthorizationServerMetadata field
- Sanitize upstream IDP error messages to avoid exposing internal
  details to clients (security hardening)
- Add mockgen directive for upstream.OAuth2Provider interface

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

125 of 215 new or added lines in 6 files covered. (58.14%)

39368 of 65087 relevant lines covered (60.49%)

76.1 hits per line